Who Owns the Risk?

Back in my late 20′s I was a project manager in a pretty good sized IT shop. I worked under a great VP that put me in situations that were really beyond my abilities. He fundamentally believed that I’d do a good job for him. He trusted that I’d learn what I needed to learn and use good judgement about when to ask for help. There was a point in my career where everything interesting on my resume was a direct result of some project this guy had me lead.
One of those projects was a pretty significant identity and access management initiative where we were building out a corporate LDAP infrastructure. The goal was to establish an integrated authentication engine so clients could basically sign-on to any of our web properties with a single login ID and password. Our company didn’t have any expertise in this area, so I ended up with about a quarter of a million dollars to spend to bring in some consulting expertise.
We ended up bringing in a large, well known consulting firm to help… they were really, really good but as you might expect, very expensive. I decided to negotiate a fixed scope, fixed price contract under the assumption that it would mitigate my risk. My goal was to shift all the delivery risk to the consulting firm so that I would be assured of delivering my project on time and and on budget. Had we had perfect knowledge of what was required, that might have been a good strategy.
As you might have guessed, these guys knew way more about contracts, and way more about delivering LDAP solutions than I did. I imagine they anticipated we would need services not specified in the contract, but they also knew I had a not-to-exceed budget, and I’m sure they wanted the business. When the inevitable happened, and we realized that we needed services not specified in the original agreement, they created a change request document… actually several of them… and I had to go round up additional funding if I wanted the additional work.
While I was unsuccessfully trying to mitigate my risk with a fixed price, fixed scope, fixed time contract; they were successfully mitigating their risk by aggressive contract management and holding me accountable for everything that wasn’t explicitly called out in our original agreement. At the end of the day, who really absorbed the risk? It was me and my company, I just didn’t know it at the time because I was certain that I had asked for everything I needed up front. It wasn’t until we started building the solution that I realized I was wrong.
Now… let’s tie this back to my previous post on estimating.
When customers ask you for an estimate, they are most likely, either directly or indirectly, trying to shift the delivery risk onto the development team. They want to tell you everything they want, or at least what they think they want now, have the development team tell them what it will take to deliver it… and provided they can meet your time and cost demands… make development 100% responsible for delivery. Since we know that the customer doesn’t know everything they need up front, we aggressively manage scope to protect ourselves from the risk.
Based on the feedback on my estimating post… we all seem to agree that estimates are generally poor indicators of what it will take to actually deliver the product. We all agree there is a pretty good chance any estimate we provide will be misused by management. We know that making commitments based on bad estimates leads to an unacceptable level of risk for the development team. In response, we suggest that we shouldn’t even attempt to estimate. If we go this route, we are basically asking our customers to assume all the risk associated with the delivery. We are asking for unlimited time and money and maybe the customer will get what they need.
We assume that as long as the developers ‘do the best they can do, and deliver as much value as possible’ the customer should just take a chance they’ll get what they need, but if they don’t… and quite often thats their reality, they are left with no options because all the time and money ran out. Just because the development team delivered the highest-value-potentially-shippable-product-as-possible… doesn’t mean that your customer has something they can sell to get a reasonable return on their investment. Aside from the fact this conversation is a non-starter with most business leaders I work with… it doesn’t feel like a very good way to run a business.
To me the answers lies not in the either-or proposition of fixed scope, time, and cost… or alternatively establishing no estimates and making no commitments. Both approaches put all the risk on the other party, shifting risk fully to one side or the other. To me, the answer lies in creating a culture of shared risk between the customer and the team. Both sides have to have skin in the game. Both sides have to realize the constraints the other is operating under. Both sides have to realized that estimates are just that… estimates. Both sides need to be partners in the delivery process.
The estimating process establishes the shared understanding we just talked about, and the numbers we come up with give us a planning baseline to measure the progress we are making (or aren’t making). The development team estimates, but customers realize that estimates have to be managed, assumptions have to be validated, issues have to be dealt with, risks have to be mitigated, and yes… sometimes requirements have to be descoped, or dates have to change, or costs have to go up. In an environment of shared understanding, shared accountability, and shared risk; everyone is on the hook for managing the delivery process.
Sharing risk means that we trust in the other’s abilities and intentions, we deal with reality when it doesn’t meet with our preconceived notions about what should be… or should be possible. This is not currently the default place in most organizations… our default place seems to be to shift as much risk as possible to our counterparts in the other parts of the business. Creating a culture of shared risk, and having the tools in place to manage that risk, is really the key to make all this stuff work. Insisting someone else assume all the risk doesn’t encourage the behavior we want, or the behavior we need between people that should operate as partners.
If we don’t estimate, we don’t have any way to know how far we’ve come and how far we’ve got left to go. It’s that simple to me… I suspect some of you guys out there might disagree. Looking forward to the conversation.